nasauber.de

Blog

Howto: Virtual users for vsftpd

I recently noticed that this howto was gone due to the "Linux Know How" section being removed some time ago. This one is actually useful though, thus I re-add it as a blog post now.

Virtual users (users with no real account on the system) can be easily set up for vsftpd. We will use PAM's pam_userdb module to authenticate the virtual users.

We need one real user for this to work. I simply used the ftp user, as this one is normally already there and has no shell login anyway. Of course, you can use or create any user you want for this. Set the home directory of this user to the root of the FTP directories we want to serve. E. g.: 

usermod -d /srv/ftp ftp

Here we have the relevant part of the /etc/vsftpd/vsftpd.conf I use: 

local_enable=YES
guest_enable=YES
write_enable=YES

nopriv_user=ftp
guest_username=ftp
virtual_use_local_privs=YES

pam_service_name=vsftpd.virtual
user_sub_token=$USER
local_root=/srv/ftp/$USER

chroot_local_user=YES
allow_writeable_chroot=YES

Of course, you are free to add other options, like logging, umask, etc.

The config says it uses vsftpd.virtual to authenticate the virtual users. So let's also create the respective PAM config file /etc/pam.d/vsftpd.virtual: 

#%PAM-1.0
auth    required pam_userdb.so db=/etc/vsftpd/users crypt=crypt
account required pam_userdb.so db=/etc/vsftpd/users crypt=crypt
session required pam_loginuid.so

Notice the reference to /etc/vsftpd/users, not /etc/vsftpd/users.db (which will be the actual filename used). We append crypt=crypt to indicate we want to use crypted passwords (nobody wants to store clear text passwords, does anybody?).

Finally, we need to add one or more virtual users to the userdb. I wrote a script called userdbadm to do this in an easy way. Of course, you can create the database in whatever way you want to. When using userdbadm, it's something like: 

userdbadm /etc/vsftpd/users.db add virtual_user

Notice the .db here! You will be prompted for a password. The user and the salted crypted password will be stored in the database.

Finally, the virtual user needs a home directory which will be served by vsftpd when the user logs in. It has to be owned by the real user vsftpd uses. For the above example, we simply do 

mkdir /srv/ftp/virtual_user
chown ftp:ftp /srv/ftp/virtual_user

That's it :-) Restart vsftpd and have fun with virtual users now!